Many methods are in use for establishing secure communications between a source node and a destination node in a computer network, and many can be used specifically for TCP/IP network communications. These methods, however, rely on specially defined protocols to initiate and manage the secure communications.
One well-established method of secure communications for network traffic relies on the Secure Sockets Layer (SSL) protocol. The SSL protocol is widely used to secure communications traveling to and from portions of web applications where the data requires extra protection, using Hyper Text Transfer Protocol (HTTP) over SSL, commonly known as HTTPS. SSL is also a popular method in use as a means to secure communications within a Virtual Private Network (VPN) environment, commonly known as SSL VPN. In both situations (HTTPS and SSL VPN), the SSL protocol is used to establish and manage the secure communications, operating on top of the TCP/IP protocol. Specific destinations are configured to require SSL secure communications, and communications with those destinations are secured using SSL. SSL, along with its proposed successor Transport Layer Security (TLS), operates at Layer 5 of the Open Systems Interconnection (OSI) network protocol layer model, one layer above TCP and below the application protocol layer (where HTTP and other application protocols exist). SSL requires multiple handshake messages to be sent and received between a source node and a destination node to establish secure communications. SSL requires the source node to have an approved and verifiable certificate in order to secure communications with the destination node.
Another well-known and widely used method of secure communications for network traffic is Internet Protocol Security (IPsec), described in IETF RFCs 1825-1829 and then revised in RFCs 2401-2412 (a third generation of RFCs 4301-4309 now exist and are essentially a superset compared to 2401-2412). Like SSL, IPsec is widely used to secure communications within a VPN environment, commonly known as IPsec VPN. IPsec has also been applied to provide secure communications between nodes in internal network configurations. IPsec defines a protocol family that consists of two protocols, the Authentication Header (AH) protocol and the Encapsulated Security Payload (ESP) protocol, and IPsec takes the approach of modifying IP packet structure to insert AH or ESP headers into IP packets. One well-known problem with the modifications that IPsec makes to the IP packet header is that it is in many cases not compatible with Network Address Translation (NAT), which is very widely used in current IPv4 network configurations (a technique referred to as NAT-Traversal or NAT-T is used to help address this issue). The IPsec policies that define which communications to secure are stored in a Security Association Database (SAD) on each node. The security associations stored in the SAD typically rely on ports, protocols and IP addresses as identifiers for which communications to secure.